Abstract

Recent advances in the design and analysis of secure two-party key exchange (2KE) such as the leakage of ephemeral secrets used during the attacked sessions remained unnoticed by the current models for group key exchange (GKE). Focusing on a special case of GKE — the tripartite key exchange (3KE) — that allows for efficient one-round protocols, we demonstrate how to incorporate these advances to the multi-party setting. From this perspective our work closes the most pronounced gap between provably secure 2KE and GKE protocols. The proposed 3KE protocol is an implicitly authenticated protocol with one communication round which remains secure even in the event of ephemeral secret leakage. It also significantly improves upon currently known 3KE protocols, many of which are insecure. An optional key confirmation round can be added to our proposal to achieve the explicitly authenticated protocol variant